- [Occupy the Web] As a
matter of fact, you know, being in the US makes it
somewhat more challenging to be too anonymous
because we have the NSA who has their fingers
into every transaction. So all you NSA people out there who're watching this video, we know. We know what you're doing. And... (laughs) So that was episode one and
this is an important lesson. And Elliot says, "Whoever controls the
final hop on the network, controls the traffic." - The onion rooting protocol, it's not as anonymous as you think it is. Whoever's in control of the exit nodes is also in control of the traffic, which makes me the one in control. - [Occupy the Web] And
that's the same thing that the NSA knows, is that they know whoever
controls the final hop controls the network. You know, from my experience of dealing with all of these young people, that's like their ultimate goal, is to be able to hack their
neighbor's wifi, right? - [David] Yeah. - [Occupy the Web] That's
why they all want those wifi, they wanna get the wifi of the neighbors. And they think also that, maybe we should throw this in here, is that they think that if
they use their neighbor's IP address that they're safe. - So joking aside, 'cause
obviously we don't recommend that, would using your neighbor's
wifi actually keep you safe? - [Occupy the Web] You know,
a lot of people believe that if they use their neighbor's wifi, that they're gonna be safe because the IP address is going to be, show that the neighbor
was on that website. Many years ago, I was working
with an investigator for, I think he was with the Navy at the time. He was what they call the Naval
Criminal Investigation Unit. And he and I were talking
and he said to me, "That doesn't work." And I said, "Why not?" He says, "Because whenever
there's a crime committed, the first, and it's clear that the
people whose home wifi did not commit the crime, the first thing we do is we
start knocking on the doors of everybody within a few houses. And 100% of the time," 100% of the time is what he said. I'm not saying this, he said it. He said, "100% of the time,
we will find the person who committed the crime within
a few houses," all right? - Wow! - [Occupy the Web] So he says... And I said, "A hundred
percent of the time?" He goes, "Yes, 100% of the time." Even though it's possible
to be able to pick up wifi, in some circumstances
with special yagi antennas and what have you, you can pick up wifi for a
little or two, all right? But hackers, because
they're people who think that they can get away with a crime by using their neighbors, they almost always get caught because they are using
the next door neighbors or the person two or three houses down. And then, law enforcement just
has to go knocking on doors and asking questions. I was surprised when he told me that, and he said "100% of the time." And so since that, this is over 10 years ago, I've kind of checked the
cases, and he's right. 100% of the time the
person is right next door, or right behind the house, or in the same apartment building. - Hey, everyone, it's David Bombal, back with Occupy the Web. It's been too long since
our last interview. So glad to have him back. Occupy the Web, welcome. - [Occupy the Web] Thanks, David. It's always good to be back on the best IT cybersecurity
channel on YouTube. - That's very kind of you to say that. If you don't know who Occupy the Web is, have a look at our previous
videos, which I've linked below. He's also the author of this book, "Linux Basics for Hackers." Fantastic book if you wanna learn Linux from a hacker's point of view. He's also recently published this book, "Network Basics for Hackers." What I love about his books is he takes subjects
like networking, wifi, whichever subject you're
interested in, like Linux, and he teaches it from a
hacker's point of view. He's also got this book, "Getting Started Becoming
a Master Hacker." Really great to have you
back, Occupy the Web. What are we talking about today? Because this is a really
good topic, I think. - [Occupy the Web] Well, today's topic is how to remain anonymous on the internet. This is a subject matter that
is near and dear to my heart. - I've just gotta interrupt you before, 'cause I wanna say this. For everyone who asks,
'cause I get this a lot, I don't know who Occupy
the Web actually is. Because you're anonymous to me as well. I don't know your name, I don't know where you live. I kind of believe that you live in the US, but I know almost nothing about you. So you've done a really
good job of being anonymous, so I think you're the right
person to talk about this. - [Occupy the Web] Ah, thanks. Yeah, I am in the US, so you can tell my American
accent that I'm in the US. As a matter of fact, you
know, being in the US makes it somewhat more
challenging to be too anonymous because we have the NSA who has their fingers
into every transaction, every packet that traverses
the internet through the US. They don't necessarily
have that around the world. They try to have that around the world, but they definitely have it in the US. So all you NSA people out there
who're watching this video, we know, we know. We know what you're doing (laughs) and we know that you're
looking at every packet, and they know exactly who everybody is. And the NSA folks, they have made it really clear to me that they know who I am. They have actually, you know, they sent me messages saying,
"We know who you are." And they do that on
purpose because the NSA, they kinda see the
internet as their territory and they wanna know everybody
who's in their territory. So, trying to stay anonymous from the NSA is really, really hard
if you're in the US. It's not as hard in your other countries, but in the US it's really hard because they basically have taps into all the pipelines of
all the traffic in the US and they capture every
packet and can examine it. If they want to know who you are, then they can find out, so. But if you're in other countries, it's a little bit easier to
stay anonymous from the NSA and the other intelligence agencies. But it's really hard to stay anonymous from your own country's
intelligence agencies because all of them have
taps into the local internet. So let's say this right up front, okay? That it's really hard to stay anonymous from your own country's
intelligence agencies. I also want to point out
that if you become a target from these intelligence agencies, it's really, really
hard to remain anonymous because they have tools that make it really, really
difficult to stay anonymous. David, you and I are gonna
do a show on Pegasus. - Yeah. - [Occupy the Web]
Pegasus is this notorious cellphone hacking software put out by NOS, I mean NSO, (laughs) the Israeli hacking group. And with Pegasus, they can basically just target your phone and take over your phone and then, of course, you're not anonymous. Every message that you send on your phone, all your geolocation services, every message you send becomes captured by the
intelligence agency. So, that's a whole different bailiwick of trying to remain
anonymous from those guys, 'cause they have capabilities and they have legal sanction to do things that nobody else does. - You're talking offline,
there's different levels, right? So you've got like the commercial
companies, is that right? And then it, like the NSA is sort of,
like, right at the extreme. - [Occupy the Web] NSA is the
extreme in the United States because, literally, they're
given access to all the pipes and they can see all the
traffic and they can trace it, but they don't have that, necessarily, that access
in other countries. Some countries they do, but in the US they've
been given total access to all the pipes, and so they collect all of the data. They have this big data farm where they put all the data in there and they can basically trace just about, they can trace anybody, and they get metadata
off all of the packets and all of the traffic. If you become a target,
then they can do even more and get more information about you. - So I mean, some people might be
disappointed by what you said because it's like, how
do I stay invisible? How do I stay, you know, anonymous? Can I stay anonymous from Google? Can I stay anonymous from anyone? Or as soon as I go on the internet, am I gonna be discovered? - [Occupy the Web] Well, if
you're trying to stay anonymous from the commercial interest, that's relatively easy and
we can talk about that. The other thing that I
find with a lot of people is that they believe that
the only way to trace them is through their IP address. So there's this fixation on being able to hide their IP address. There's other ways of
tracing your identity other than your IP address. So, if all you're focused on
is hiding your IP address, you're gonna be exposed by
both the commercial interests and you know, the law enforcement and intelligence agencies. So you have to think about
all of the different ways that somebody can trace you. And that's why one of the
things that I emphasize is that if you want to
remain anonymous and safe, you need to understand forensics, you need to understand OSINT. So if you understand both of those fields and you understand then, what
people can do to find you and find your information, then the better off you are in being able to hide your
identity and your traffic. - But are you saying that VPNs are, like all these VPN adverts are wrong? You know, if I get a VPN, I'm safe. (David and Occupy the Web laughing) - [Occupy the Web] Well,
let's start off by saying one, okay, that you're only as safe
as the VPN is safe, right? So the VPN is going to hide
your IP address, right? And that's what I was, my point I was trying to make earlier is that there's obsession
with the IP address, but- - A whole business has been built on this, or a whole industry. Sorry, I'm just being sarcastic here. - [Occupy the Web] And we're
gonna blow it apart, right? Because yes, it's a good measure. VPNs are a good measure,
proxies are good measures, Tor are good measures, but there are ways of tracing
you, other than just the IP. All of those, okay, are going
to hide your IP address, but there's other ways of tracing you other than just your IP address. One of the things you have to keep in mind in trying to remain anonymous is that you can only put up, you know, you can put up hurdles, all right? But it's almost impossible, if an intelligence agency
wants to find you, they do. If law enforcement is
going to try to find you, they have resources, but they have to expend a lot
of resources, if you're good, they have to spend a lot
of resources to find you. Now, in general, you know, most people who are
navigating the internet are not thinking about anonymity and basically they're giving
away all of their information about their entire life
to commercial interests like Facebook or Google and others. I don't, you know, I'm
not comfortable with that, maybe you are, but- - No, no, no, no. - [Occupy the Web] Yeah. Yeah. And so, one of the things
you have to keep in mind is that if you're using Chrome, which is a great browser by the way, Google makes a really good browser and I really love Chrome, but it's constantly sending back all your personal information
back to Google headquarters. If you're ever using Chrome,
open up, say, Wireshark, while you're using Chrome. And what you'll see when
you're using Wireshark is that Chrome is constantly communicating back to Google headquarters
everything that you're doing. (Occupy the Web laughing) They're constantly sending
back information on you. So when you get an ad that you go, "Gosh, that's amazing. I was just thinking about buying that. How did that pop up on my screen?" Well, that's no mystery because not only are they sending back information about you, but remember we're living in the era of artificial intelligence. And artificial intelligence is not only looking at
what you're searching for, but they're trying to
create a mind map of you. So what they're doing
is that they're saying, "The person who is doing these
types of searches is likely, the next thing they're gonna want is this, because that's the
pattern that we understand from looking at billions
of people in the world, that with these characteristics,
they're gonna want this." And...
- [David] That's crazy. - [Occupy the Web] They can
actually anticipate your needs and send you an ad for it. So if you wanna stay
anonymous from those people, that's a little bit easier to do. Now, one of the things is, first off, is don't use Google Chrome. (laughs) 'Cause Google Chrome is
owned by Google, right? And it's communicating. Bing is communicating to Microsoft. Even Mozilla is communicating back. 'Cause Mozilla's a little
safer than the others, but still, you know,
they're communicating back what you're searching for on the web. There's a relatively new browser
called Brave, right? That- - [David] Yeah, I use it too. - [Occupy the Web] Yeah,
you use it, I use it. That is more anonymous than the others. So that's one of my first recommendations, is get away from using
Chrome and Bing and go to- - When you say Bing, you mean one of their new browsers, right? Edge, right? Edge. - [Occupy the Web] Edge. I'm sorry. - Yeah, no worries. - [Occupy the Web]
Bing, the search engine. Yeah, Bing is their
search engine, Edge is... So yeah, those products are designed to capture
information about you. And then once somebody
captures information about you, it's pretty easy for them to be able to determine who you are. There's other things that
can also be captured, like for instance, there's... Whenever you visit a website, you know, you are presenting these cookies that are in your browser, right? So if there's any cookies in your browser, they are going to appear. And that cookie has
identifying information, at least if it's a cookie
that has been placed there by Google or Facebook, okay? And both of those companies
put cookies in your browser, then it's going to identify
who you are, all right? So one of the things you
can do with your browser is go to the settings
and turn off No Cookies. Now that's gonna make your life
a little bit less convenient 'cause that means you're
gonna have to log in to every website and nobody's gonna know
who you are when you go in. You log into your Facebook account, they're not gonna
automatically know who you are and log you in or other services. So it makes life a little more difficult, but it's gonna save your identity. - You would use like, recommend using private browser windows, stuff like that, right? - [Occupy the Web] Private browser windows and just turning off the No Cookies, okay? On any browser that you're using, it's gonna come in different places. It's usually gonna be
in Settings, Security, and you can go ahead
and click on No Cookies. Cookies are a lot of information. For those of you who aren't
familiar with cookies, cookies is basically a text file that has information about who you are and what your interests are. It may actually include things like your username and password. This is a, as you traverse the internet, these cookies can be
presented to other people, other websites. So people are focused on IP addresses. But remember, for somebody to
identify you by IP address, they actually would have to
get into the ISP or the VPN to get their records, their
log files to identify you. IP addresses are something
to be concerned about, but these other issues
are equally important in terms of trying to
maintain your anonymity on the internet. One of the things that
I'd like to show you here, let's go into Kali. And talking about IP addresses, one of the things that is
available to us in Kali and other places is what's
called proxy chains. So proxy chains is a
tool that uses multiple, it can use a single proxy
or multiple proxies, okay? To be able to hide your IP address. So let's go, just hiding your IP address, we're going ahead, let's
open up a terminal in, I've got some, let's
open up a new one here. There's a tool in Kali that
allows you to use proxies. It's called Proxy Chains. So you can just go proxy
chains, it's built into Kali and others. Not just Kali, but there's
Parrot and Arch Linux and a number of others have proxy chains built into it, as well. The key to using proxy chains is simply to set up the
configuration file in Linux. You know, every configuration file
is simply a text file. All you have to do is
go into the text file to be able to edit it. So let's go and look at the
proxy chains configuration file. Let's see, I'm gonna use that mousepad, which is built into Kali. It's a gooey based versus Vim. And we're gonna go, is that
etc proxy, if I remember? Where's that? proxychains.com. Nope. It's not there. We'll close this. Yeah. Okay. Let's go to cd, etc, and we'll go to... Etc is where most of the
configuration files are in Linux. And you go up to, you'll see up here, proxy chains 4. That's what I had wrong. It's four. So we're gonna go up arrow
here, let me clear my screen. All right, so then we're gonna go
mousepad, proxy chains four, and then look at that. All right. All right, here we go. This is the configuration
file for proxy chains. What proxy chains will do is it'll allow you to select proxies that will then take your traffic and move it through a
proxy, hiding your IP. And you can even send it
through multiple proxies. As you can see here, there's all of this up
here is basically comments describing what they do. The option below identifies
how ProxyList is treated. You can have a dynamic chain, where each connection will
be done via chain proxies. A strict chain, okay, which is what I have uncommented. So we'll just use a
strict chain, initially. Here's a round robin chain. Each connection will be
done via chain proxies at the chain length, which is a variable. You can set the chain length. There's a random chain. Each connection will be
done via a random proxy. All right. Here's a chain length, by
default it's set to three. And then if we scroll
down a little further, we'll see there's a number
of other variables here. Here's the ProxyList format. It's gonna look like this. Socks5 and then the port number and if there's a username and password. Okay, http, these are
all local IP addresses, so you know they're really, those aren't ones that you'd
want to use. All right? What I've done, and usually it's set
by default within Kali, in this proxy chains is using the socks5 and then using 127.0.0.1,
your local host on 9050. This is Tor. As you know, Tor is the special and separate network of routers, okay? That encrypts your traffic
from hop to hop to hop. Tor was originally
developed by the US Navy so that they could go ahead
and navigate anonymously. It's now an open source project. We do know that there
are some issues with Tor, where it's not totally anonymous. Institutions and intelligence agencies like the NSA can still crack Tor, but it's still pretty effective
for what we want to do here. So let's go ahead and try it out. Just using Tor as our proxy chains. You can go ahead, once you set those major settings, go ahead and save and then close it. And now, what you need to do
is to go ahead and start Tor. All right? So you can go sudo system control, start Tor or enable Tor. So Tor should be running
now in your system. Then let's go to proxy chains. You can't use sudo because
Mozilla doesn't like it. And then just go Mozilla. And now what this says
is it runs proxy chains and then runs Mozilla, Firefox. I guess it's actually Firefox is the, Mozilla's the name of the project. Firefox is what it is. And there we go. - So what you've done
now is you've started Firefox as a browser, but going
through Tor network, right? - [Occupy the Web] Right. I'm running my Mozilla Firefox
through the Tor network. You can see it in the background here. Let's kind of see if we can
get both of those online here. All right. You can see it's
running through a strict chain. It tells us right here, strict chain, which means that it's only, it's going to go through
all of the proxies that you've listed. In our case here, we've only listed one, we've listed the Tor network. And then let's go and
let's go to Hackers Arise. - [David] I hear it's a good website. - [Occupy the Web] I hear it is too. Yeah. Lots of good information there. - [David] That's right.
- [Occupy the Web] Right. So you can see that it's going through and it's anonymizing my traffic coming through the Tor network. So we could use both, there
is a separate Mozilla, or not some Mozilla, a Tor browser, or we can use the Mozilla built in to Kali and just send it through the Tor network. Let's check our IP on this. Okay, let's go, what's my IP? - [David] Yeah, you live
in Amsterdam now, right? - [Occupy the Web] Amsterdam. Okay, Amsterdam is where
it's at. That's my location. Let's go and refresh again. Let's see if we can get
a different Tor router. And this one's still same IP. - [David] Yeah, you're still in Amsterdam. - [Occupy the Web]
Sometimes you can go ahead and just refresh it and
it'll jump to another IP. Let's see if we can get
another IP out of it. You can see how slow it is. This is one of the drawbacks to using Tor. Some of the commercial
proxies will run a lot faster. I think I've told this story before, that when I was doing some
work in Washington DC, I was doing a training
of FBI, a few years back and I thought it'd be funny that when everybody was out at lunch, that I was going to go ahead, and this was when the Silk
Road was still up and running, I said I had the Silk
Road up on the screen as they walked in from lunch. And they had all the drugs for sale. - Ooh. - [Occupy the Web] So
they came back from lunch and I had the Silk Road up on the screen. You can tell this has been a while, 'cause the Silk Road's
been down for a while. But of course there's other sites now that do the same thing on the dark web. And I said, "Okay, you guys, what are you gonna do about this?" And they said, "That's not our problem. That's drug enforcements." And interestingly, if you know the story, that
it actually was the FBI that took down the Silk Road, even though their response to me was, "No, that's not our job.
That's drug enforcement." - And didn't you say
something along the lines that it was actually very fast because it looked like you were
using one of the local nodes or something? - [Occupy the Web] Exactly. So I did tell the story here before. Yeah. So I'm in Washington DC and I'm like, "Gosh, you know, it's so much
faster in Washington DC." And that was before I knew
that the NSA had nodes all around the Washington DC, so that it was running just as fast as my regular internet would in DC because they've got nodes
distributed all over DC to make sure that they
can see all the traffic. Interestingly, if you've watched the "Mr. Robot" series, in the very first episode, Elliot is able to, he
goes into a coffee shop, it's like Dan's Coffee Shop
or something like that. And it turns out that Dan is
actually running a (bleep) server from his coffee shop and Elliot discovers this and confronts him with this information and he's like, "How do you know that?" You know, how can you, he said, "Well, because your internet is so fast, that I always come here
to use your internet. And then I began to
wonder why is it so fast?" And so, and he put up a
node on the Tor network and was able to see the
traffic going to his server and then got into the server
and saw that was all... (bleep) So that was episode one. And that's an important lesson. And Elliot says, "Whoever controls the
final hop on the network, controls the traffic." - The Onion Rooting Protocol, it's not as anonymous as you think it is. Whoever's in control of the exit nodes is also in control of the traffic, which makes me the one in control. - [Occupy the Web] And
that's the same thing that the NSA knows, is that they know whoever
controls the final hop, controls the network. So he did the same thing. It's easy, you can set up a router on
the Tor network easy enough. You just go to the website and they have the
software you can download and put yourself as a
router on the Tor network. - So this the problem,
you're telling us about Tor, but we could be still compromised, right? - [Occupy the Web] Yeah. - Because the NSA could
have like exit nodes. - [Occupy the Web] Exactly. Whoever has that last exit
node controls the traffic. I'm gonna go refresh it one
more time and see if we... It's still sending me back
to Amsterdam consistently. I'm gonna go, let's stop it and try connecting again. And let's see if we can't
get a different IP address. There we go. And let's go. What is my IP? So it's coming out with
sockets here or timeouts whenever I go there. Let's go to Google again. Right here. Let's go what's my IP and see if we get a
different IP this time. Here we go. Detecting. Should get a different IP. Just gimme the IPv6 but not the IPv4. Yeah, have at least. Well this would actually be best, right? If the IPv4 is not detected, but it does have the IPv6
and still working on it and still comes back with Not Detected. So you could make the case
that that's even better. - [David] Yeah. - [Occupy the Web]
that's not detecting it, but I think it's basically
the website is the problem and not that the IP address is not no. Okay, so I'm gonna go
ahead and shut this down. I'm gonna go ahead and
shut down our proxy chains. One of the other things
that I wanted to show is that there's actually
a tool called a non surf that you can install on your Kali that will automatically
send all your traffic, okay, through Tor. So let's go there. Okay, we've got it installed now. All right, so now we've got a directory
called Kali anonsurf. Let's just take a look
and see where it's at. All right, here's Kali
anonsurf right here. Let's go into that directory. Okay, let's take a look inside there. There's the installer. And then we gotta run sudo installer.sh. (fast forward sound effect) Gives me errors while processing, let's see if we can get it to run. Okay. So, sudo anonsurf. Start. There it is. We're running anonsurf, okay? You can see it's killing
dangerous applications, cleaning some dangerous cache elements, stopping IPv6, starting anonymous mode, saving IP tables rules, modified resolv.conf to use Tor and private internet access DNS, all traffic goes redirected through Tor and you're under an AnonSurf tunnel. So now, what happens is
that everything you do on this operating system is gonna go through the Tor network. It's gonna be a little bit slower, but it's gonna give you better anonymity than it would otherwise. So, your IP address is gonna be hidden, except from the person
who has the exit node on the Tor network. And hopefully that's not the
NSA or the law enforcement. So a couple of the things
that we want to talk about, we talked about using, you know,
a browser like Brave, okay? That's not, and not collecting cookies, along cookies on your browser. One of the things that
people often ask me about is what's the safest operating system? And there's a number of 'em
that are out there that, you know, all of 'em pretty
much are using the Tor network to make you more secure. I found that using Kali,
using the anonsurf, it actually works pretty good, pushing everything
through the Tor network. The other issue that people
often ask me about is, how about using a phone, right? Isn't a phone a major vulnerability trying to remain anonymous? - [David] Androids. - [Occupy the Web] Whether
it be Android or Apple, because both of them can be
hacked by Pegasus, right? And so one of the things
about your phone is that you probably don't want
to use your actual phone whenever you're doing anything that where you wanna remain anonymous, because the data that's
collected from your phone is all available to law enforcement. They can trace your geo location, they can see your messages. One of the things that I recommend is to go out and buy a burner phone. A burner phone is simply a
phone, it can be a cheap phone. If you go into some of the phone stores, you can buy these phones
that are inexpensive. I think I've bought some of
'em as little as $20, $30 and put them on a pay-as-you-go contract, where you pay cash for them. And then that's really, really
difficult to trace, right? There's no way to connect
that phone to your identity. And so, then you can go
ahead and make your calls, send your messages from that phone. One of the things you want
to keep in mind, though, is that when you go to buy that phone, that you're not traveling with your other phone in your pocket because you can be then traced to the purchase of that phone, okay? Because every one of your
steps is being followed. Whenever you're traveling with your phone, there's always geolocation
that's available because your phone is connecting
to the cell phone towers and from the cell phone
towers they get your location. Now, it's not as precise
as GPS, but still, they can tell if you're going
into a store to buy the phone, they can trace you that close. So don't take your phone
with you, all right? Go buy your burner phone, use your burner phone for anything you wanna remain anonymous. Do not do any of the same things on your usual phone, your normal phone, as you would do on your burner phone. Do not go to the same websites, don't go use the same browsers. And so that's kind of the rules of thumb for using a burner phone. Ultimately, if you really
want to remain anonymous, I recommend using two separate systems. This is, if you can afford it, this is probably the best way to go. Of course, you know, you could have two separate
internet services, all right? Or you know, if you can
hack your neighbor's wifi, you can use their internet service. - I'm not recommending that you
do that. But someone like... - [Occupy the Web] No, no, I
would never recommend that. I'll never recommend that. No. And then you could use somebody
else's IP address maybe. But keeping your activities separate, in two separate systems is going to be one of the
safest things that you can do. 'Cause you're using a different browser, you're using different operating system, you are using a different IP address, so they can't be connected back to you. One of the things I also do is
that I create false profiles. I put false information
out on the internet so that that information
doesn't lead back to me. People try to connect
that information to me, but it really is false
information that's going to be, you know, there's breadcrumbs out there that somebody's gonna follow and it's gonna take
them to the wrong place. And if they follow all the breadcrumbs, it's gonna take them
to separate identities. This is the kind of
work that you need to do to truly remain anonymous because there's an awful lot
of information that's out there about you from OS in-sources,
from your cookies, from your IP address. And to really remain anonymous,
it's like a full-time job. You have to think about
everything that you do on the internet and whether or not it's going
to leave a trace back to you. - Is it safe for me to use an ISP or are there certain
ISPs that you recommend? I think Starlink was one that we've kind of mentioned in the past. - [Occupy the Web] Well, I use Starlink. And I use Starlink primarily because their IP addresses are
not geo-located, right? So if you go and somebody
looks at your IP address, all it's gonna do is it's gonna take 'em to a regional office of Starlink. So I find Starlink to be, just create one more level of anonymity into your traffic on the internet. It just, all it's gonna do is gonna say, "Hey, it's a Starlink IP address." Now, if Starlink wants
to give up your identity, then that's a different thing. Or if Starlink gets hacked, then your identity can
be resolved from that. But most, ISPs distribute IP addresses by location, right? So, somebody can find
out what city you are in. Not with 100% accuracy,
but pretty close to it. What city you're in
simply by your IP address, knowing there is these databases
of IP addresses and cities. So, I would say to create
one more level of anonymity, I like Starlink. And then run Starlink, say,
through proxies or VPNs or Tor. - So, a great thing about Starlink is you can often buy this
mobile solution, can't you? So you could drive around and you know, doesn't matter where you are, you could take it with you and then you could access the internet from different physical locations. But I like what you said there, because if I use internet
at my house as an example, and it's a fiber link
or something like that, I mean it's tied directly to my house. It's very easy to find me, right? - [Occupy the Web] Exactly. But with Starlink I could be anywhere. - [Occupy the Web] Starlink
allows you to be mobile. They charge an extra $25 a
month that gives you mobile. And so the satellite dish can move around. It, automatically, unlike some of the old
satellite technology where you were fixed
on a single satellite, in Starlink they have
thousands of satellites and the dish is smart enough
to find the closest satellite. So as you're moving, it goes and finds the
closest satellite to you. Makes it much harder to
be able to geo-locate you when you're using Starlink. - So I mean that's at least like, I'm trying to think in layers. Okay, so, how do I get to the internet? I could use Starlink, I could for instance go to
McDonald's or somewhere else and get onto the internet that way, but then I've gotta sit
in a cold train station or somewhere, you know, get onto the
internet somewhere, somehow. But least with Starlink, I've got something with
me that I can take around. - [Occupy the Web] Yes. Yeah, you can. If you're, you can put it
in your vehicle. (laughs) You know, if you're traveling,
you can take it with you and it will automatically
connect and there's nothing, there's no geolocation
that's assigned to it. Although, now you have to
pay for with a credit card. So your name is still
linked to that IP address. If somebody gets inside of Starlink or Starlink gives up your information. Now so, you know, Starlink
is an American company, as we all know owned by Elon Musk. If Elon Musk wants to give
up the information about you, then you're still not anonymous. - But at least it's one layer. - [Occupy the Web] It's one layer. And that's what you think
about, you're right. Gotta think about layers. - Layers! - [Occupy the Web]
Right? This is one layer that makes it just a
little bit more difficult to identify you. - Next one, and this is
always a question people have. Do I use a Windows computer? Do I use Apple, do I use Linux? Or you know, Apple, Windows
seem to both have a lot of, like, data that they pull from you, telemetry data that they pull from you. A lot of people don't trust them. So perhaps Linux is the best. - [Occupy the Web] Well, I
obviously would recommend Linux. One of the things that
both Apple and Microsoft do is that they put in user
IDs, a GUID into documents. And so that if you're creating a document and you're distributing that document, it can be traced right
back to your computer. One of the things I recommend
is do not use Microsoft Word or the whole suite of Microsoft products because they'll pull the globally
unique ID off the machine and put it into the document. This is where forensics
becomes really critical. So, you know, if you're
a forensic investigator, you know that. You know that there's a globally unique ID on that Word document. So if you're trying to trace somebody, you can pull that globally unique ID. It's not going to have
geolocation data in it. But once your machine is identified, they can say that this document
came from this machine. - Is it safe enough to
use a virtual machine or should I have a
dedicated physical machine that runs Linux? - [Occupy the Web] Physical
machine creates one more layer. If you're gonna run multiple machines, I would recommend one, one machine that you're doing stuff that you don't wanna be traced on and one machine that you're
doing everything else on. If you can afford that. If you can't afford that, I would say run a Linux
machine in a virtual machine such as VirtualBox or VMware workstation. - It's all about, like, cost versus what you're really
trying to accomplish, right? So I mean, if you really
want to go hardcore, you gotta spend the money
to do something like that, I would say. Yeah? - [Occupy the Web] Yeah. If you wanna really make sure that you're not gonna be traced, you want to go and spend
a little bit of money, possibly have two systems, you know, one of one that
you're only doing the work, you're gonna have a separate
identity for each machine, right? And you can create separate identities and not have them be connected
in any way, shape or form. - So like, we mentioned stalling. So as an example, I could have like an
internet connection at home, that's my normal internet,
let's say fiber, whatever. And then I have a Starlink, which I do all my anonymous stuff on and then I have like a Linux machine that I use for my anonymous stuff and then perhaps whatever
operating system I like for my normal stuff. - [Occupy the Web] Exactly.
- What about phones? Because, like, they all
seem to be, you know, choose the worst type. It's like, is it iOS, is it Android or do I have to go and use
Graphene or something like that? - [Occupy the Web] You know,
that's a good question. Basically the most important thing I think is simply have a phone that
isn't linked to any carrier. Right?
- [David] Yeah. - [Occupy the Web] So any
carrier in any credit card. Because once you've linked a credit card, you pay for it by credit card or have a service through any
one of the major carriers, then you can be traced. These burner phones that
you can buy for cash. You can pay for them with cash, the service for cash, month to
month, the service with cash, that's really the only way to remain, to make certain that you're
gonna remain anonymous. And like I said, they should not be in
the same location, right? At the same time, right? If if they're in the same
location at the same time, one of 'em has to be turned off, because once they're in the same location, then they can be tied
together to your location and your identity. - So in other words, Graphene
by itself wouldn't be enough. You'd want to buy a burner
phone with cash or something, 'cause it's not the operating
system that's the problem, it's the fact that it can
be traced to you. Right? - [Occupy the Web] Exactly. Exactly. That's, I agree. What I feel safest with is
simply using a burner phone. Right? That's why I feel confident
that can't be traced. - And what about VPN versus Tor? There's this, there's always good, argument on YouTube and
you know, on the internet and that's why it's great
to get your opinion, 'cause you're well experienced in this, should I use a VPN, like X, Y, Z VPN? Or Should I use Tor? Or should I use Tor over a VPN? Or you know, what would you recommend it? - [Occupy the Web] It all depends upon, you know, how much
protection that you want. VPN for the average individual who's trying to protect themselves
from commercial services, VPN generally are gonna be pretty good. But remember that you're
putting your hands, you're putting your life, maybe, into the hands of the VPN developer. They have all of your information. If they get hacked, right? And they do get hacked, then all of your information is available. So, that's a trust that
you have to place in them. So for the average user,
a VPN's gonna be fine. If you're working in cyber warfare, where your life is dependent
upon remaining anonymous, that may not be adequate. In that case, in a cyber
warfare environment, where your life is dependent
upon remaining anonymous, I would prefer either
proxies or the Tor network. Proxies can pose an additional
problem, once again, that they can be hacked as well. I would never trust a
free proxy. All right? Because why would somebody
put up a free epoxy? Why would somebody put out a proxy- - 'Cause it's the NSA. (laughs) - [Occupy the Web] What's that? - It's because it's the NSA.
- [Occupy the Web] Yeah. Because the NSA. Exactly. Or it's a GRU or whoever. So remember that the NSA, the GRU, all the intelligence agencies, one of the things that they want to know is everybody's identity. They know that people use proxies. So their job is to figure out who you are and what you're doing. If you were them and your
job was to find that out, wouldn't you put up, "Free proxies, here! Connect to our free proxy! And of course we keep no logs!" And of course that's what they advertise and that way they can at
least get some of the traffic going through their proxies. It doesn't make any money. So they have no business model to, if there's no legitimate
business model to keep 'em safe. If somebody's putting up a free proxy, there's no legitimate business
interest to keeping you safe. As a matter of fact, there's an interest in keeping you unsafe and selling your data. So I recommend, if
you're gonna use a proxy, use a commercial proxy, where you're paying
somebody to keep you safe. - So let's take it to the extreme. I mean, let's say you want to,
your life depends on it. You're a journalist or
someone who's involved in cyber warfare, something like that. You really want to keep yourself safe. So if I understand correctly, you're gonna have two infrastructures, one for like normal and then
one for anonymous stuff. So Starlink or whatever it
is, separate infrastructure, separate laptops, separate
phones, burner phones. You're gonna buy that
with cash if you can. You're gonna use proxy chains or you're gonna use Tor,
something like that. Is that right? Anything else that I've missed? - [Occupy the Web] No, I think that that pretty much covers it. You just wanna make sure that when you're using
those two separate systems, that they do not intersect. The sites that you visit, the things that you do, the information that you
provide do not intersect. Because that intersection can be detected by people who are trying
to determine your identity. - Do I need separate homes
or separate locations? Like do like you said the phone. I mean, I'm just trying to think, like you said, don't put the
two phones together, right? So I'm gonna have to put that in- - [Occupy the Web] Don't put
two phones together on, okay? - [David] Okay. - [Occupy the Web] I mean,
you could put one of 'em in a Faraday cage. Okay? Just so that the location doesn't show, the geolocation services
don't show them being in the same location. Because once you've revealed that, so for instance, you have an Apple phone and
you've got a burner phone and they're both sitting in your office and they're both on, right? They're both showing that
they're in the same location. You've suddenly given away your identity as the person who owns the iPhone, right? That burner phone has been now
been linked to that iPhone. - So you put the burner
phone in a Faraday cage or you leave it somewhere else and you don't bring it to your home where you do your normal stuff. - [Occupy the Web] Or
you just turn it off. - What I really appreciate
about Occupy the Web, for everyone who's watching, is he doesn't, it's not
sensationalist nonsense. He's giving you the, you
know, really good information. So Occupy the Web, thanks for doing that. - [Occupy the Web] Of
course. Anytime David. - So Occupy the Web, another one we didn't touch on is email. Do you have any email providers
that you could recommend for secure email? Because email seems to be
one of those things that's, it's easy to find people. - [Occupy the Web] Yes,
email can easily be traced. And so, one of the things that I like and those people who have worked with me and been my students or in some way associated
know that I use ProtonMail. ProtonMail is the only one
that I feel comfortable with. They are based out of Switzerland. It's end-to-end encryption. You might ask yourself, "Well what difference does it make that they're in Switzerland?" Well, the Swiss have particular laws that protect people's privacy more than even the EU does,
or certainly the US does. 'Cause the US doesn't really have any good privacy laws at all. Switzerland has long had the history. That's why there are these
Swiss bank accounts, right? Because the Swiss have special laws of protecting people's privacy. Even if you have end-to-end encryption and the encryption in a service, then if the servers get compromised or law enforcement shows up,
that's often what happens. Law enforcement shows up and
says, "We think that, you know, we need to have the
data from your servers." That's not gonna, that's less likely to
happen in Switzerland than it is in other countries. It's happened in the US,
it's happened in Germany, it's happened in Australia
where law enforcement shows up and wants the records. Canada, where law enforcement shows up. We want the records and
therefore that all of your email and all of your communication
is then compromised. Switzerland has laws that protect privacy that's more strict than other nations do. And ProtonMail, I've been using them for,
I don't know, almost, I actually got one of the
beta accounts at ProtonMail when they first opened up. You had to actually ask for an account and you had to wait like
three or four months to get an account. So I've been with them a long time and I have a lot of confidence that they're gonna do as
good a job as possible to protect my information. There's a number of others
that are out there as well, including Mailfence, PrivateMail,
AnonAddy, Guerrilla Mail, Sekur Mail, what have you. Those are all out there as well. As far as secure operating systems, some of the hardened operating
systems include Qubes, Subgraph, HardenedBSD,
are all good choices if you want a hardened and safe
and secure operating system. One of the things I do wanna
mention before we finish here, and that is that a lot of people believe that making transactions
in Bitcoin is untraceable and that's not true. All right? As a matter of fact, I
have a class coming up, I think it's in December,
on how to trace Bitcoin. If you're trying to remain anonymous and you're using Bitcoin, Bitcoin is traceable. It's not easy to trace,
but it can be traced. So it's not gonna maintain your anonymity. But also remember that
maintaining anonymity is a matter of throwing
up a lot of roadblocks to the people trying to trace you. So the more roadblocks
that you can put up, then the harder it is to trace you. But Bitcoin, a lot of people believe that
they can simply purchase thing with Bitcoin and be safe. Now, some of the other cryptocurrencies have better anonymity
than Bitcoin does, so. And that's one of the things that I think we're gonna
talk about in the future. - That'd be great. I could
do a video on that, too. And everyone who's watching, please put in the comments below, would you like to see a
video on Occupy the Web showing us how to trace
Bitcoin transactions? - [Occupy the Web] One other
thing we wanna talk about is anti forensics. I have a class coming up this
summer on anti forensics. First of all, I recommend, if
you wanna remain anonymous, that you study forensics and OSN. But after you've studied it, then you have to focus on how
can I keep the information off my machine? This includes cleaning off
any files off your system. As we know, that if you
delete a file on your system, it still is there. So you have to overwrite
files on your system and then, of course, you want
to clean your bash history or wherever you're entering your commands. - What would you say
to people who say that the only way to do operating
systems is to run it in RAM? So you boot off a USB or something and it's all in RAM and then when you finish you pull that out and it's all gone. - [Occupy the Web] Well, I
think that's a really good idea. That's certainly an option, is to simply run your
operating system all in RAM, say off a flash drive, and then once you've
taken the flash drive off, it means it's gone. I mean it is still possible. Well, if you reboot the system, everything is gone and nearly
everything's gone from RAM. 'Cause there's, still, forensic investigators can still pull some information from RAM, even after you've rebooted the system. Remember also that operating systems, when the RAM is full, it begins to right to
the hard drive, right? There's swap files. So the strategy is a good
one, but it's not 100%. That's my point, right? None of these strategies is 100%, but if you put up enough of
these anonymity strategies, the safer you're gonna be. - We spoke about, like,
buying a separate laptop or something for running Linux on, but you could perhaps boot
into RAM on that laptop if you just want to, you
go to the next level. So it's just like layers
and layers and layers of... - [Occupy the Web] Right. - Anonymity, right? - [Occupy the Web] Yeah,
the more layers you put in, okay, the safer you are. My thing that I emphasize
to nearly everybody is that if somebody with enough
skills and enough knowledge and enough resources wants
to find you, they can. But that's key. Enough resources, enough
time and enough skills, they can find you. But, most people don't
have unlimited resources, unlimited time and unlimited skills. What you want to do is make
it as difficult as possible. But if you really need to remain anonymous from, say, the intelligence agencies, that's a really, really difficult job. If you want to remain anonymous from the commercial interests
or your next door neighbor, that's a little bit easier to do, than it is from the intelligence agencies. They have a huge amount of resources and high level of skill. - Occupy the Web, another
one that comes up a lot, search engines. Google's tracking you like crazy. What about DuckDuckGo? Some people say bad things about them. Do you have any favorite search engines? - [Occupy the Web] What
I would prefer, okay? Is to use DuckDuckGo in Brave, all right? The Brave browser. Google is probably the worst in terms of tracking your information. So, Google Chrome is a great browser. I love Google Chrome, but they track everything
that you're doing. So I would recommend
using DuckDuckGo in Brave to remain safest, to have
least amount of information. But once again, remember, that even then you wanna be able to have
two separate identities, so that what you're
searching for in DuckDuckGo is different than what you're
searching for in Google or other places. So the two cannot be connected. - I love what you said, here, because in this interview
you kind of like, putting emphasis on have
different identities, like, have everything separated. A lot of people, I think, make the mistake that
they use the same devices or go to the same websites when they're trying to be anonymous and when they're just normally surfing. And I'm glad that you've
really highlighted that. So, a technical solution isn't
the answer to everything. It's like make sure that
you separate your behavior, I feel like. - [Occupy the Web] Exactly. And also, one of the things that I do is put out false information.
- [David] Yeah. - [Occupy the Web] So, I
leave behind false information that will take people to other identities, so that when they're trying to trace me, all of 'em are not leading
to the same identity, they're leading to multiple identities. And that can at least obscure and make it more difficult to find you. - Occupy the Web, as always, I really wanna thank you
for sharing your knowledge and experience with all of us. You know, you've got many,
many years of experience and you are anonymous online
even though you write books. You share so much information. So thanks for sharing your
warnings and your tips with all of us. I really appreciate it. - [Occupy the Web] You're welcome, David. I always enjoy being on your show and look forward to doing
more of these with you in the future. - So just for everyone who's watching, ideas that you've got, let
us know in the comments, ideas would include
Pegasus, talking about that. What other ones did we think about? Bitcoin, right? - [Occupy the Web]
Bitcoin forensics. Yeah. - What about, like, wifi hacking?
That would be a good one. Bluetooth I think is another good one. And we definitely wanna
have "Mr. Robot," right? - [Occupy the Web] And we'll
do more with "Mr. Robot" as well. - So for everyone watching,
please put your comments below, things that you'd like to see. Occupy the Web, thanks so much. - [Occupy the Web] Thanks,
David. See you soon.
